How to create a Let’s Encrypt SSL encrypted Reverse Proxy for Plex in OpenMediaVault

I’ve been messing around for a long time with creating reverse proxy‘s for the applications I use with OpenMediaVault. Creating a Let’s Encrypt SSL encrypted reverse proxy for Plex especially. But in the last few days I finally managed to achieve it. Today I’m going to share with you how to create encrypted Reverse Proxy for Plex in OpenMediaVault 2.x using Let’s Encrypt free SSL-certificates.

Initial Obstacles to Consider and Prerequisites

If you’ve followed my previous tutorial about reverse proxy’s for Radarr, Sonarr, Transmission and SABnzbd you’re approaching these apps using a Request URI such as /radarr or /sonarr. I’ve come to the conclusion that this isn’t going to work for Plex.

Because I approach OpenMediaVault at nas.mydomain.com/ and Plex doesn’t offer the option to modify the URL base, I’ve chosen to give Plex it’s own subdomain, e.g. plex.mydomain.com.

Plex is somewhat authistic when it comes to the routes it uses for requests. I didn’t investigate it any further, but its URL base needs to be /web/index.html. E.g. /plex/web/index.html seems to be unacceptable for the app. I’ve tried it and although its support forums are bloated with authors claiming they managed to make it work, I couldn’t.

This tutorial assumes that you’re familiar with creating subdomains and have updated your DNS-records with an A-record pointing towards the system serving Plex.

Since Let’s Encrypt doesn’t offer wildcard SSL-certificates, you need to generate a seperate certificate for the subdomain serving Plex, e.g. plex.mydomain.com. If you’re wondering how to create a Let’s Encrypt SSL certificate in OMV, I suggest you read this tutorial.

How to create a Nginx Reverse Proxy for Plex in OMV

It’s quite simple to create a reverse proxy for Plex. Applications like SABnzbd and Sonarr offer the option to change the URL base, which means we only have to add a location-block inside the existing server-block to make the reverse proxy work. Plex needs its own server-block, because we can’t modify the URL base.

Create a new file within /etc/nginx/sites-available/ using your favourite text editor, e.g.

nano /etc/nginx/sites-available/openmediavault-plex

Paste the following contents inside the new file:

server {

listen [::]:443;

server_name plex.mydomain.com;

rewrite https://$host$request_uri? permanent;

error_log /var/log/nginx/openmediavault-plex_error.log error;

access_log /var/log/nginx/openmediavault-plex_access.log combined;

ssl on;

# These are the paths to your generated Let's Encrypt SSL certificates.

After this all that’s left to do is to restart Nginx: service nginx restart and you’re done. Plex Media Server should be reachable from your browser at https://plex.mydomain.com.

All that’s left to do now is alter your router and Plex configuration. You can now close port 32400 within your router’s configuration and disable ‘remote access’ within Plex.

For your Plex Clients to ‘see’ Plex Media Server you need to add the URL’s to Settings > Network within Plex Media Server. Within the field Custom Server Access URL’s add http://plex.mydomain.com:80,https://plex.mydomain.com:443. Also make sure to change the Secure Connections setting to ‘Preferred’.

That’s it. Now your Plex Media Server is reachable through a fully SSL-encrypted Nginx Reverse Proxy. You’ve hardened your local networks security by closing a port and implementing an SSL-certificate for your connection.